If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hello Guest,Our records indicate that you have never posted to our site before! Why not make your first post today by saying hello to our community in our Introductions forum.

Please review the forums rules, start with your first post today and become an active part of petri.co.il forums now!

ASA and Load sharing using 2 ISPs

7th December 2011, 16:56

Guys, need some help and here is the context:

I have a Site-to-Site VPN set up.

In one site I am terminating my internet connection at the ASA via ISP1.

Now all of this will change. I am deploying a second WAN link via ISP2. Because I have some interesting private traffic coming from my internal server X, I need to send this traffic via ISP1 and the rest of private traffic coming from my other servers Y, Z via ISP2. Because ASA does NOT support PBR (policy based routing), my solution is to deploy a router in front of the ASA where I will terminate the 2 WAN connections. I am using ASA to NAT all my private traffic and the Router to apply PBR.

Here is my issue:

Ignoring most of the configurations this is the relevant part.

I am using a private subnet between ASA and Router because I do not have any other public IP other that the 2 subnets provided by the ISPs and being used in the Router WAN interfaces.

Question 1:
The private subnet between ASA and Router can not be leaked out into Internet. How do I avoid this?

Question 2:
Is there any other completely different approach to still have load sharing with PBR ?

I have been thinking on using the router to translate the private subnet via a static NAT ...but then I should have a public ip to translate it into. But how? All my 2 WAN interfaces have been used with the ISP subnets.